Armis Research Finds New IoT Security Issue Can Breach Network Segments

New IoT Security Issue Can Breach Network Segments

Armis research finds vulnerabilities in Bluetooth Low Energy chips are making for a major IoT security risk.

Written by Courtney Bjorlin
2nd November 2018

Vulnerabilities in chips made by Texas Instruments open enterprises to attacks that are capable of breaching even network segmentation, a major security strategy used to guard against the risks of IoT devices, according to research from Armis.

The Bluetooth Low Energy (BLE) chips are used in many products, according to Armis. The highest risk for the enterprise comes from the chips in the Wireless Access Points (WAP) made by Cisco, Meraki and Aruba. The vulnerabilities allow an unauthenticated attacker to broadcast a BLE beacon, take over the access points, spread malware and move laterally across network segments, according to Armis. The vulnerabilities can’t be detected or stopped by traditional network and endpoint security solutions, according to researchers.

As far as researchers know, such an attack has not happened outside the research done in the labs of the IoT security startup. But its risk signals two things to enterprises: that they need to view access points as unprotected and unmanaged devices, and that network segmentation, a primary security strategy, is at risk in the IoT age, according to Armis.

“There’s this virtual entity called the network. But it’s implemented by devices like any other IoT device,” said Ben Seri, vice president of research at Armis, an IoT security startup based in both Israel and Palo Alto. “There are no traditional security mechanisms that look at these attacks. This is something that is new in the marketplace. It can rise really fast.”

The good news is security updates for the so-called “BLEEDINGBIT” bug have already been provided by Texas Instruments. Cisco, Meraki and Aruba were expected to announce patches Thursday, and Armis researchers are confident the patches will address the vulnerabilities.

The bug gets its namesake because it is a lack of a masking of the highest (and most significant) bit in BLE packet’s length field, according to Armis. Turning this bit on will cause a memory corruption that can lead to RCE (remote code execution). This one bit will cause the entire chip to bleed, according to Armis.

The vulnerabilities are borne of two issues. First, a hacker can broadcast malicious BLE packets, and any vulnerable access point within range would be compromised. The hacker can use the BLE chip to compromise the main operating system and gain full control over it, according to Armis. This vulnerability impacts TI cc2640/50, embedded in Cisco and Meraki Wi-Fi access points.

A second issue comes from a feature left on in the BLE chip that was not supposed to be shipped in production. Using this over-the-air download (OAD) feature, the hacker can install a new and different version of firmware, effectively rewriting the operating system of the device, according to researchers. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks, according to Armis. This issue affects Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540).

Most organizations that use these wireless access points don’t use the features enabled by the BLE chips, according to researchers. For that reason, in addition to applying the patches, researchers recommend turning off the BLE chip if the organization doesn’t need it.

In all, the vulnerabilities show the implications of chip firmware and unmanaged devices in enterprises.

“Every device should have a zero trust approach right now,” said Michael Parker, vice president of marketing for Armis.